# Lab - Medium
## Let us commence 🚀
## Lab - Medium
First, we'll begin with reconnaissance to identify open ports.
nmap scan
After conducting the nmap scan, we've discovered several open ports. Let's now proceed to examine and engage with each one.
Port 2049 is accessible; let's explore the NFS server to discover potential opportunities.
**NFS** is a system designed for **client/server** that enables users to seamlessly access files over a network as though these files were located within a local directory.
Here, I attempted to enumerate available shares using "showmount" and discovered the directory named "TechSupport". Let's explore its contents.
I discovered several tickets, most of which were empty except for one. Let's examine its contents."
I discovered an email containing credentials for a user named 'Alex' along with the corresponding Operator. Let's attempt to establish a connection via the RDP server to explore further possibilities.
I have gained access to the target via RDP using Remmina. Feel free to utilize any tool of your preference. Let's explore the possibilities.
I conducted enumeration on the target and discovered a file titled "important.txt" within a directory labeled "devshare," yielding credentials for a user named "sa".
Upon gaining access to the target through RDP, I found a Microsoft SQL Server. Let's attempt to access it using the credentials we've obtained.
When attempting to access the Microsoft SQL Server with the provided credentials, an error occurred, preventing successful login. Let's now attempt to access the Microsoft SQL Server with administrative privileges.
Right Click + Run as administrator
I initiated the Microsoft SQL Server application by right-clicking and selecting 'Run as Administrator.' Upon entering the password and confirming with 'Yes,' the application successfully launched, allowing me to establish a connection.
Let's proceed to generate a new query to retrieve the password for the user "HTB."
SELECT * FROM accounts.dbo.devsacc where name = 'HTB'
We have successfully obtained the password for the user 'HTB' and completed the lab. Thank you for taking the time to read this write-up
.png?alt=media&token=fd1f09e2-84b6-4024-8331-b2b9ee2b4f47)
.png?alt=media&token=8cc893ce-7c87-48d8-8ce9-c54235b9cf84)
.png?alt=media&token=84bb3098-7db3-4621-a076-f679298500bf)
.png?alt=media&token=b253bf23-f7e7-4697-80f9-28aa3234330a)
.png?alt=media&token=a063240c-f8fe-4f46-b5ac-e54d816f9e7d)
.png?alt=media&token=2962729e-4ed1-4c06-893d-a683c6a9a50b)
.png?alt=media&token=3b2ef29a-3b69-4705-be01-2ca5064cf114)
.png?alt=media&token=88542997-9834-4de6-88c1-a3704b38a55c)
.png?alt=media&token=3cb2ea4b-0c7d-4bcf-8f10-64d5f8a12edc)